The scientific community in Europe is deeply concerned over the risks that Europe's new rules on data protection present for research. But the Italian government, which currently hold the rotating presidency of the EU's Council of Ministers, admitted only days ago that it had been unable to resolve many of the outstanding questions, and is obliged to leave many of the big decisions on data protection to the incoming presidency.

Latvia, which takes over the presidency on 1 January, must try to secure an agreement between member states during the next six months, and start negotiations with the European Parliament. Anastassia Negrouk spelled out the dangers seen by the European Organisation for Research and Treatment of Cancer (EORTC), the Brussels-based scientific organisation where she is head of international policy.

"Medicine is based on evidence, and improving healthcare in the EU depends on stimulating high quality medical and healthcare research", she told European Voice. European politicians have to play their part, too, she went on. They have to provide the legal framework for that research so that it can provide reliable answers as rapidly and cost-effectively as possible. And, she says, in terms of the data protection legislation now in the pipeline, it looks as if they are not doing their job.

The regulation that the European Commission proposed in 2012 might have helped, says Negrouk. It made no specific provision for health research, but it aimed to ease some administrative requirements for research conducted with pseudo-anonymised data, and it offered some exemptions helpful to research activities, such as maintaining cancer registries. The health research community gave the proposal a broad welcome, while offering a few suggested improvements. But the proposal prompted a huge response from a wide range of stakeholders, frequently hostile to what was seen as insufficient provision for protecting personal data. Once the European Parliament started its work on the text it was deluged with input, and by March 2013 a record number of more than 3,000 amendments had been put forward by MEPs, many of them relating to issues of consent to use of personal data.

Very counterproductive

Negrouk says the parliament's approach, in its formal vote on the proposal earlier this year, includes some "very counterproductive" elements – particularly the requirement for specific and explicit informed consent in most instances, and tighter limits on the exemptions envisaged by the commission. One of the few concessions for health is access to data that are fully anonymised. But anonymous data are of limited value in health research, she points out, while the secure use of pseudo-anonymised data can rapidly advance medical and health research without any risk to patient privacy or data confidentiality. In parallel, the council has been working its way through the proposals, and "as member states have more insight into the realities of healthcare research", says Negrouk, the amendments they are suggesting are more in line with the needs of the scientific community. "However, even their text needs further clarification – and the Parliament and Council still have to start negotiations in search of a compromise", she points out.

The concern within EORTC is that vital principles of medical science will be overlooked in the upcoming final stages of the discussions. Negrouk emphasises the central role of data in medicine. "Physicians have always built their individual and collective knowledge through their experience gained in diagnosing and treating patients and exchanging case experiences with colleagues", she says. And although healthcare is nowadays more complex, the same is true today, she goes on. "Patient data are shared with other staff, generated by laboratories, reviewed by epidemiologists, statisticians, and other specialised researchers – and this collaboration is essential to provide the evidence to support better healthcare". The capacity to collect and store data over the long term is essential for health research, she says. Analysing stored data, including from patients seen years ago, can provide valuable new knowledge, often by using a new angle or combining it with data from other sources such as registries. Data routinely collected in standard medical follow-up can serve to improve the quality of care and to increase knowledge about treatments and procedures. Combining data from different sources can increase understanding of the long-term effects of treatment – including late toxicity, for example. This so-called secondary use of data also helps ensure transparency in research. It permits public scrutiny of data supporting authorisation decisions on medicines. But the data protection amendments as voted by EU parliament would even prevent that type of data sharing – on the grounds of protecting patient privacy.

A decline in the quality of healthcare

"Not being able to perform research like this would lead to a decline in the quality of healthcare", says Negrouk. It would be all the more of a wasted opportunity at a time when new technologies for handling data in large volumes and at high velocity are now offering unprecedented opportunities for further advances in medical science, she adds. She questions the parliament's determination to prioritise provisions in the EU charter of fundamental rights guaranteeing the protection of personal data. "However, fundamental rights are not limited to a single right", she says. "There are also provisions that scientific research shall be free of constraint, and guaranteeing access to healthcare. The current text as applied to health research may be in violation of those provisions".

To limit research to use new data only, and to condition access to existing data on the specific consent of patients, even when they have already consented to the use of their data for future research, would damage healthcare and waste time and resources, says Negrouk. She points to statements from patient organisations that indicate readiness to share data for research, such as the European Patients Forum declaration that: “We, as patients, are increasingly aware of the value and importance of sharing their data. From the patients’ perspective, use of health and genetic data is vital to advancing health research."

Sympathetic to hesitations

She is sympathetic to the hesitations exhibited by the general public over sharing of data for research, but she ascribes this tendency to insufficient awareness of just how tight the existing levels of control over medical and healthcare research are. In research for medicines and for devices and other therapeutic products, the EU framework, backed up by inspections, ensures ethical principles are respected and data handling is respectful of privacy. Ethics committees' approval is also required for research and use of data in exceptional situations, where obtaining consent would be impossible or impracticable. "No breaches involving health research can be found", she said. "Breaches tend to arise from inappropriate or inadequate systems or personal negligence. They cannot be solved by consent, or by additional regulation. In fact, in most cases of reported breaches, individuals gave consent for the data collection and use."

The security controls on medical data already limit risks of leakage, says Negrouk. "Identifiable data may not be stored in a simple table on a personal unprotected laptop. There is no reason to tighten the applicable rules to the point where they render research impossible." She points to the EORTC record: it has been conducting clinical research for more than 50 years, gathering vast volumes of data – but has never suffered a data breach. Instead, if technicalities of appropriate measures need to be adjusted, this should be done by subsidiary legislation by the Commission, such as a delegated act, she says.

No easy consensus

"The Parliament, Council and Commission, and all the other stakeholders, should avoid rushing into any easy consensus on how to regulate data protection for health research. It is important to keep some degree of flexibility in this part of the regulation so that it can be adapted to evolving science", she says. Negrouk is clear about what EORTC doesn't want. And she is equally clear about what it does want. The new regulation should, she says, recognise the importance of health research, and confirm that pseudo-anonymised data is a valid method for protecting privacy. It should also allow prolonged storage and secondary use of data, and endorse the principle of one-time consent, with exemptions for registries and for situations where consent is impossible or impracticable. And if international research is to remain possible, there will need to be some guidance to ensure a minimum level of harmony among any individual measures taken by member states, she says.

The next few months will indicate how far her ambitions are likely to be met.

This article is an extract from EV Healthcare, a professional email newsletter offering a ringside seat as Europe tackles the growing challenges of healthcare. For more information or to request an offer, click here.